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DETAILED ACTION 

1 . This Office Action is in response to Applicant's Amendment filed May 7, 2009. 

Election/Restrictions 

2. Applicant's election without traverse of claims 1 , 2, 7, 8, 13, and 14 (invention I) 
in the reply filed on May 7, 2009 is acknowledged. Accordingly, claims 1-30 are 
pending in this case and claims 1, 2, 7, 8, 13, and 14 are currently under examination. 
Claims 1, 7, and 13 are currently amended. 

Response to Arguments 

3. Applicant's arguments, see Remarks, filed November 24, 2008, with respect to 
the section 112 rejection of claims 1, 2, 7, 8, 13, and 14, as currently amended, have 
been fully considered and are persuasive. The section 112 rejection of 1, 2, 7, 8, 13, 
and 14 has been withdrawn. 

4. Applicant's arguments filed November 24, 2008, regarding the section 103 
rejections of claims 1, 2, 7, 8, 13, and 14, as currently amended, have been fully 
considered but they are not persuasive. 

5. Applicant argues, regarding claims 1, 7, and 13, that nothing in the cited 
reference discloses, teaches or suggests "comparison of an alert (indicating an attack 
or anomalous incident) - or more specifically, the comparison of features of the alert - to 
the features of existing alert classes, in order to classify the alert". 

6. Examiner respectfully disagrees and directs attention to Nine as follows. In Nine, 
"Upon receipt of the ticket, receiver process 250 parses the ticket and uses the 
information in the ticket to query accounting engine 248 for information on where to 
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place the pending ticket (step 538)." (col 8 In 38-41). In parsing the ticket, the receiver 
is taking features of the alert then comparing them to other alerts and classifying the 
alert, which is deciding where to place the pending ticket. In other words, the pending 
ticket gets placed with similar pending tickets, which are those in the same class. The 
class is decided by comparing the features of the ticket to features of other tickets. 
Further, it follows that if the features obtained in parsing the ticket or alert are very 
different from all other alerts, then the instant alert cannot be placed with others, and will 
eventually form its own class. 

Claim Rejections - 35 USC § 101 

7. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

8. Whoever invents or discovers any new and useful process, machine, 
manufacture, or composition of matter, or any new and useful improvement thereof, 
may obtain a patent therefor, subject to the conditions and requirements of this title. 

9. Claims 1-2 and 7-8 are rejected under 35 U.S.C. §101 because the claimed 
invention is directed to non-statutory subject matter 

10. In this case, claims 1-2 are rejected under 35 U.S.C. §101 because the claimed 
invention is directed to non-statutory subject matter. Based on Supreme Court 
precedent (See also Diamond v. Diehr, 450 U.S. 175, 184 (1981); Parker v. Flook, 437 
U.S. 584, 588 n.9 (1978); Gottschalk v. Benson, 409 U.S. 63, 70 (1972); Cochrane v. 
Deener, 94 U.S. 780, 787-88 (1876)) and recent Federal Circuit decisions, a §101 
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process must (1) be tied to another statutory class (such as a particular apparatus) or 
(2) transform underlying subject matter (such as an article or materials) to a different 
state or thing. In addition, the tie to a particular apparatus, for example, cannot be mere 
extra-solution activity. See In re Bilski, 88 USPQ2d 1385 (Fed. Cir. 2008). To meet 
prong (1), the method step should positively recite the other statutory class (the thing or 
product) to which it is tied. This may be accomplished by having the claim positively 
recite the machine that accomplishes the method steps. Alternatively or to meet prong 
(2), the method step should positively recite identifying the material that is being 
changed to a different state or positively recite the subject matter that is being 
transformed. 

1 1 . Specifically, regarding claim 1 , the device or machine represents mere extra- 
solution activity, as part of a preamble. The various steps in claim 1 can be reasonably 
interpreted as being performed by a person alerting another person via a shout, for 
example, or via mental steps in comparing one alert with another. Further, no material 
is being changed to a different state. For these reasons, independent claim 1 and its 
dependent claim 2 are rejected under section 101 . 

12. Under the broadest reasonable interpretation standard, claims 7-8 recite a 
computer program only. "Computer programs claimed as computer listings per se, i.e., 
the descriptions or expressions of the programs, are not physical 'things.' They are 
neither computer components nor statutory processes, as they are not 'acts' being 
performed." MPEP §2106.01 I. Because the claims recite only abstractions that are 
neither "things" nor "acts," the claims are not within one of the four statutory classes of 
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invention. 1 Because the claims are not within one of the four statutory classes of 
invention, the claims are rejected under 35 U.S.C. §101. 

13. In this particular case, independent claim 7 recites a "computer readable medium 
containing an executable program . . ." The claim recites neither computer components 
nor statutory processes, as they are not "acts" MPEP §2106.01 I. Because the claim 
recites only abstractions that are neither "things" nor "acts," the claim(s) are not within 
one of the four statutory classes of invention. Because independent claim 7 is not within 
one of the four statutory classes of invention, independent claim 7 and its dependent 
claim 8 are rejected under 35 U.S.C. §101 . 

Claim Rejections - 35 USC § 102 

14. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(a) the invention was known or used by others in this country, or patented or described in a printed 
publication in this or a foreign country, before the invention thereof by the applicant for a patent. 

15. Claims 1, 2, 7, 8, 13, and 14 are rejected under 35 U.S.C. 102(a) as being 
anticipated by Nine et al (US 6,560,61 1 ). 

16. Regarding claims 1, 7, and 13 - 



1 35 U.S.C. §101 defines four categories of inventions that Congress deemed to be the 
appropriate subject matter of a patent; namely, processes, machines, manufactures and 
compositions of matter. The latter three categories define "things" (or products) while 
the first category defines "actions" (i.e., inventions that consist of a series of steps or 
acts to be performed). 
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17. Nine discloses in an intrusion detection system (abs, col 2 In 65-67) that 
includes a plurality of sensors (e.g. col 3 In 1-5) that generate alerts when attacks or 
anomalous incidents are detected, a method for organizing alerts into alert classes, both 
the alerts and alert classes having a plurality of features (col 4 In 52-55), the method 
comprising the steps of: 

(a) receiving a new alert (called "message" at col 3 In 25-30 or "ticket" at col 3 In 15- 
20, col 5 In 32-34, col 7 In 47-50, col 7 In 63-col 8 In 9); 

(b) identifying a set of similar features shared by the new alert and one or more 
existing alert classes (e.g. col 3 In 12-20, col 8 In 35-42); 

(c) updating a threshold similarity requirement for one or more features (e.g. col 5 In 
50-col6ln 10, col 9 In 22-40); 

(d) updating a similarity expectation for one or more features (e.g. col 5 In 50-col 6 
In 10, col 9 In 30-35); 

(e) comparing the new alert with one or more alert classes, and either: 

(f 1) associating the new alert with the existing alert class that the new alert most 
closely matches (col 7 In 22-46, col 5 In 32-37, col 8 In 35-42); or 

(f 2) defining a new alert class that is associated with the new alert (col 9 In 5- 

40). 

18. Regarding claims 2, 8, and 14 - 

1 9. Nine discloses the method of claim 1 further comprising the step (a) of passing 
each existing alert class through a transition model to generate a new prior belief state 
for each alert class (e.g. col 5 In 60- col 6 In 10, col 9 In 22-40). 
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20. As above, although Nine discloses messages rather than "alerts", the said 
messages are the functional equivalents of alerts, where generally, the disclosure of 
Nine may be adapted by one of ordinary skill in the art to obtain the instant application. 



Conclusion 

21 . Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to CRISTINA SHERR whose telephone number is 

(571 )272-671 1 . The examiner can normally be reached on 8:30-5:00 Monday through 
Friday. 

22. If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Calvin L. Hewitt, II can be reached on (571)272-6709. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 
273-8300. 

23. Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
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USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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